Evening all,

Ive been at this for a couple of days, and although I have built the rest of the search I still cant get my compare and return a success or failure to work.

I have tried Stats, Join, Coalesce, Case ( which works when I manually enter the second field) so heres the challenge,

CSVs lets call them incomingone and ackone123456 and both are from different sourcetypes,

The only way to confirm that the incoming has been successful is to extract the 123456 from the ackone file and then compare it to a field for arguements sake called itshere inside the incomingone one file.

Now if I do stats values and use a MVexpand command I can get a success or failure however I cant display the rest of the fields and need to have way more information on each line.

Now I created my own dummy data and tried it,

index="compare_index" sourcetype="outcomeack" OR sourcetype=outbound | rex field=source "outbound(?\d+)." | eval error = if(outcome == 'REF', "OK", "Problem")

The rex extracts the REF and creates the field however each time I get 3 "problems) note my dummy data is just 3 csvs as the actual environment data I cant post on here and also I wanted to check it wasnt the data.

Also tried a join with a match but still no avail

Anyone have any ideas.

If I use CASE and EVAL with for example 123456 in the eval CASE("itshere=="123456", "success", failure) then that works,